Distributed Network Security System Providing Isolation of Customer Data

1. A computer-implemented method executed by one or more processors comprising: assigning a first node in a distributed network to a first customer, the first node selected from a set of unassigned nodes that are not assigned to any customer, wherein the first node is associated with a first physical computing device; configuring the assigned first node to apply first security policies to first network traffic only between the first customer and first external destinations outside of the distributed network; determining that a second customer different than the first customer requires additional processing resources; in response to the determining, selecting a second node from the set of unassigned nodes for the second customer, wherein the second node is different than the first node, wherein the second node is associated with a second physical computing device different than the first physical computing device, and wherein the second node is selected based at least in part on the associated second physical computing device including no nodes that are assigned to the first customer; assigning the second node to the second customer; configuring the assigned second node to apply second security policies to second network traffic only between the second customer and second external destinations outside of the distributed network; applying, by the assigned first node, first security policies to the first network traffic, wherein the first network traffic of the first customer is isolated from the second network traffic of the second customer; and applying, by the assigned second node, second security policies to the second network traffic, wherein the second network traffic of the second customer is isolated from the first network traffic of the first customer.

2. The method of claim 1, further comprising determining that the first customer requires additional processing resources, wherein assigning the first node to the first customer is performed in response to the determination.

3. The method of claim 2, further comprising: after assigning the first node to the first customer, determining that the first customer no longer requires the first node; and de-assigning the first node from the first customer including deleting data associated with the first customer from the first node, and returning the first node to the set of unassigned nodes.

4. The method of claim 1, wherein configuring the assigned first node includes receiving, by the assigned first node, configuration information specific to the first customer only from one or more other nodes assigned to the first customer.

5. The method of claim 1, wherein the first node is a virtual machine instance executed by the first computing device.

6. The method of claim 1, wherein the first physical computing device is located on a local network controlled by the first customer.

7. The method of claim 6, further comprising assigning an additional node to the first customer, wherein the additional node is a virtual machine executed by a physical computing device located on a different network than the first physical computing device.

8. The method of claim 1, wherein the first node is of a particular node type, wherein the particular node type is one of an administrative node, a web security node, a reporting node, a sandbox node, an uptime node, or a risk assessment node.

9. The method of claim 8, wherein the first node is of a first node type, and an additional node assigned to the first customer is of a node type different than the first node type.

10. The method of claim 8, wherein the first node is of a first node type, and an additional node assigned to the first customer is also of the first node type.

11. The method of claim 8, wherein the first node is a web security node, and apply first security policies to first network traffic only between the first customer and first external destinations outside of the distributed network includes selectively filtering the first network traffic.

12. The method of claim 8, wherein the first node is a reporting node, and apply first security policies to first network traffic only between the first customer and first external destinations outside of the distributed network includes storing data associated with the network traffic of the first customer.

13. The method of claim 1, further comprising determining that the first customer requires additional processing resources in a particular geographic location based on at least one request associated with the first customer received from the particular geographic location, wherein assigning the first node to the first customer includes selecting the first node from the set of unassigned nodes based on a proximity of the location of the first physical computing device associated with the first node to the particular geographic location.

14. The method of claim 1, further comprising: receiving, from a client associated with the first customer, a request to access a multi-tenant user interface; authenticating the client to the multi-tenant user interface using credentials associated with the first customer; receiving a request to access data associated with the first customer from the client via the multi-tenant user interface; and in response to receiving the request from the client via the multi-tenant user interface, generating a request to the first node assigned to the first customer.

15. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising: assigning a first node in a distributed network to a first customer, the first node selected from a set of unassigned nodes that are not assigned to any customer, wherein the first node is associated with a first physical computing device; configuring the assigned first node to apply first security policies to first network traffic only between the first customer and first external destinations outside of the distributed network; determining that a second customer different than the first customer requires additional processing resources; in response to the determining, selecting a second node from the set of unassigned nodes for the second customer, wherein the second node is different than the first node, wherein the second node is associated with a second physical computing device different than the first physical computing device, and wherein the second node is selected based at least in part on the associated second physical computing device including no nodes that are assigned to the first customer; assigning the second node to the second customer; configuring the assigned second node to apply second security policies to second network traffic only between the second customer and second external destinations outside of the distributed network; applying, by the assigned first node, first security policies to the first network traffic, wherein the first network traffic of the first customer is isolated from the second network traffic of the second customer; and applying, by the assigned second node, second security policies to the second network traffic, wherein the second network traffic of the second customer is isolated from the first network traffic of the first customer.

16. The non-transitory, computer-readable medium of claim 15, the operations further comprising determining that the first customer requires additional processing resources, wherein assigning the first node to the first customer is performed in response to the determination.

17. The non-transitory, computer-readable medium of claim 16, the operations further comprising: after assigning the first node to the first customer, determining that the first customer no longer requires the first node; and de-assigning the first node from the first customer including deleting data associated with the first customer from the first node, and returning the first node to the set of the unassigned nodes.

18. The non-transitory, computer-readable medium of claim 15, wherein configuring the assigned first node includes receiving, by the assigned first node, configuration information specific to the first customer only from one or more other nodes assigned to the first customer.

19. A system comprising: non-transitory memory for storing data; and one or more processors operable to perform operations comprising: assigning a first node in a distributed network to a first customer, the first node selected from a set of unassigned nodes that are not assigned to any customer, wherein the first node is associated with a first physical computing device; configuring the assigned first node to apply first security policies to first network traffic only between the first customer and first external destinations outside of the distributed network; determining that a second customer different than the first customer requires additional processing resources; in response to the determining, selecting a second node from the set of unassigned nodes for the second customer, wherein the second node is different than the first node, wherein the second node is associated with a second physical computing device different than the first physical computing device, and wherein the second node is selected based at least in part on the associated second physical computing device including no nodes that are assigned to the first customer; assigning the second node to the second customer; configuring the assigned second node to apply second security policies to second network traffic only between the second customer and second external destinations outside of the distributed network; applying, by the assigned first node, first security policies to the first network traffic, wherein the first network traffic of the first customer is isolated from the second network traffic of the second customer; and applying, by the assigned second node, second security policies to the second network traffic, wherein the second network traffic of the second customer is isolated from the first network traffic of the first customer.